duplicate keyid survey results

David Shaw dshaw@jabberwocky.com
Sat Mar 9 04:24:01 2002

On Sat, Mar 09, 2002 at 09:59:12AM +0900, Hironobu SUZUKI wrote:
> Len Sassamann:
> 1) The thing that comes to mind immediately for me is that you should
> allow for a 64-bit key-ID search.
> 2) The public key servers should do little more than accept, store,
> and report data that it contains. Preventing the display of keys with
> duplicate IDs steps over that line a bit too much for me.
> David Shaw:
> 3) If a duplicated keyid is requested from the current HKP and NAI
> LDAP keyservers, *all* matching keys are returned.  This is the
> correct behavior, as it lets the receiving program and the user decide
> which (if any) of the returned keys is the right one.
> ---
> 1) 64-bit KeyID will be supported. It's easy and no problem in server. 
> But I'm wondering how PGP/GPG user know their own 64-bit KeyID.

GPG uses 64-bit keyids internally, so even though most people don't
know their own 64-bit keyid, when someone does a --refresh-keys
command or a key is retrieved automatically because of the
--auto-key-retrieve option the 64-bit keyid can be used.

Even so, the user can see their 64-bit keyid by adding the
"--with-colons" option to the usual --list-keys or --list-sigs

I'd even like to be able to search by fingerprint.  The way I see it,
since the 32-bit keyid is just the lowest 32 bits of the fingerprint,
and the 64-bit keyid is just the lowest 64 bits of the fingerprint,
the keyserver must calculate the fingerprint no matter what.  Since
it's already calculated, it would be nice to use it.

> 2) HKP protocol based HTTP/1.0 is not define the waring status for the
> found duplicate key. We should define some specifications for
> duplicate keys.  This specification is not only problem of public key
> server(s) but also problem of OpenPGP client(s) a.k.a PGP and GPG.
> 3) I think "all matching keys are returned" solution is not a perfect
> idea. But I can support it easly for my public key server.  I'd like
> to know how about this solution for PGP or GPG.

If you don't think this is the right way to go, what do you suggest as
an alternative?  I think a warning is fine, but not returning one of
the keys leaves the keyserver open for a denial of service attack.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson